Good morning, folks! Another week, another threat surface gets its turn in the press! While I have been working hard to prepare for the upcoming Cisco Live (2-6 June in Las Vegas!) news seems to be picking up before RSA Conference next week. This week we saw a lot of continued fallout from breaches past, variations of perimeter defense vulns, and more. We even see yet another tool essential to many get hacked – is nothing sacred! Let’s get into it!
Playing the hits: Mobile gets some ‘love’
Please don’t misunderstand this section – the perimeter and infrastructure device focus is still a massive concern and soaking up a lot of oxygen (Cisco, PAN, Ivanti, etc.). But it has been some time since we’ve seen such a rash of endpoint and mobile-related vulnerability news. That pent-up demand burst this week.
First up was macOS. Apple just released a massive update to its built-in malware protection engine, XProtect, to counter the explosion in Adload malware’s use across its user base. XProtect uses Yara rules, which makes it very transparent. The recent updates on April 30th show that Apple went pretty extensively into shutting down Adload’s code base.
Next up was the Android ecosystem, within which Microsoft researchers found a new “Dirty Stream” attack path that allows a malicious app to overwrite files in another apps home directory by abusing content sharing meant to help apps work together. Their report is in-depth and very informative. I haven’t been able to locate any mitigation or protection steps, but things move fast!
In both cases, we’re seeing new novel paths to allow user devices to fall victim. These devices may not be as critical or desirable as a perimeter firewall, but they can often provide credentials or a toehold that adversaries can pivot from. Keep your stuff up-to-date, only download apps from trusted vendors, scrutinize any permissions you grant, and think about separating work and personal use on different devices, or at least with some isolation.
Another popular SaaS family hit!
It is pretty tough to find a company or household that doesn’t use Dropbox to some degree. Dropbox Sign, from their HelloSign acquisition, is similar to DocuSign and allows official documentation to be passed for legal signatures and delivery. On April 24th, Dropbox discovered an intrusion into those systems that compromised names and email addresses. They have since added authentication information to the list of at-risk data. No word yet on who the threat actor is, but it is early, and as more TTPs become known we’ll certainly learn more.
Some of the company’s new acquisitions not as widely known or used. Given most software companies are in a continual state of integration, a breach of one tool often raises questions about the integrity of others. That is certainly the case here, and we’ll have to see how this plays out in the investigation.
- Want to read more? This article provides background on the service and some initial messaging.
- Want to get nerdy? The SEC filings are something we all need to get familiar with. Reporting requirements and the scrutiny help clear away the spin and BS. This is where the additional PII stuff was revealed.
Where are they now? Change Healthcare keeps getting worse news
UnitedHealthcare (parent company of Change Healthcare, the recently breached pharmaceutical claims processing arm) sent their CEO in front of Congress, and it did not go well for him. Root causes have been slow to be shared, but now we know a stolen set of non-MFA protected Citrix credentials played a big part. Oh, and 1/3rd of Americans were likely impacted. But knowing would require Change actually had good processes, tools, and a clue. That was not the case 🙁
Stay tuned on this one, folks. We’ll see how the US medical quagmire handles all of this. One of the first things I encourage customers to think about is reducing complexity. Simpler systems offer less to protect, less quirks to secure. Eventually, it may occur to us all that shirking healthcare reform and eliminating the massive profit-driven complexity is starting to cost all of us way more than a tax bump. It is impacting patient outcomes, fair access, and staffing. Lives and our personal sovereignty are at stake.
This week in AI
We’ve briefly discussed the dual-use nature of AI in past entries. The US Department of State and Department of Commerce use that classification for things like export control. Maybe a material or component is useful in making fine wristwatches? If that same component is also vital to the manufacture of weapons, they call it “dual use” and control who can buy it outside of the US. I think software should get more scrutiny than it does – certainly breach automation frameworks like Cobalt Strike would fit the bill.
I also happen to think that a similar consideration is needed for AI. Heck, ATT&CK version 15 even gave it its own Technique and sub-techniques! I know the regulation cat is out of the bag, but the same tech can offer both good and bad outcomes. Take for instance the threat actor use of OpenAI accounts for bad. A joint effort by Microsoft and their close pals Open AI focused on a who’s who of state-sponsored APTs:
- Chinese threat actors Salmon Typhoon (SODIUM/APT4/Maverick Panda – purveyors of Sykipot Malware) and Charcoal Typhoon (CHROMIUM/RedHotel/Aquatic Panda)
- Iranian APT Crimson Sandstorm (CURIUM/Imperial Kitten)
- North Korean actor Emerald Sleet (THALLIUM/Kimsuky/Velvet Chollima)
- Russian APT Forrest Blizzard (STRONTIUM/APT28/Fancy Bear)
When you read Microsoft and OpenAI’s posts, you get a sobering lesson in creative AI LLM use. Each had their own unique ways of leveraging and abusing OpenAI prior to their accounts being terminated. some focused on open source intelligence gathering and recon, others in researching scripts, payloads and vulns. The Microsoft appendix in particular gives you both inspiration and fear.
My point? It is probably too late, but government and society inability to wrangle the dual-use character of these tools will make watch components and metal alloys seem trivial by comparison.
Things I am keeping an eye on
- MITRE’s CTID folks released a new version of ATT&CK (version 15) and it includes a lot of cool stuff! AI gets a lot of attention (7 sub-techniques!) and they expanded Cloud and Infrastructure as Code (IaC) concepts too. CTI, mobile devices, ICS, TAXII updates, and even a Splunk-friendly revision to CAR round it all out!
- Verizon released their popular and informative Data Breach Investigations Report (DBIR) this week. Vuln exploitation surged, and it still takes 55 days to address these holes after disclosure. It’s no wonder 14% of breaches start now with a vuln being exploited. Prefer the Cliff’s Notes?
- The UK’s NCSC joined the chorus (again) warning of Russian APTs attacking critical infrastructure.
- Hacktivists “Anonymous Arabia” claimed credit for an attack on Columbia University for retaliation against police crackdowns on the pro-Palestinian protestors. A couple of notes – no one seems to think it happened, and aren’t some Anon efforts just influence campaigns sloppily waged by other threat actors? Hmmmm.
- A vulnerability-mitigation consultant was arrested for trying to extort $1.5M from his former client when they let him go for being a putz.
Good Reads
- I am reading a lot of good threat reports in preparation for a new session of content for this Cisco Live, but I don’t want to spoil the surprise. That being said, I continue to enjoy the works of my colleagues at Talos, who do a bang-up job of protecting us and informing us. They are unable to share a lot of the details on current stuff, but once in a while a good story gets out. Joe Marshall is as good as they come, and this blog post about his efforts to help the Ukrainian power grid defend itself is just inspiring. Check it out!
I hope you all have a great weekend, and I look forward to engaging with you all here or in person. Hit me up if you want to chat about any of the above!
Mike